Outsourcing technology is a ‘systemic risk’ for banks
The Financial Stability Board (FSB) has warned banks about the “possibility of systemic risk” from outsourcing to a few third-party technology companies.
In the wake of the Wirecard scandal, the FSB raised concern over a trend for financial institutions collectively to use fewer third-party technology providers. It suggests that a fault in one third party could cause financial instability.
In its discussion paper – Regulatory and Supervisory Issues Relating to Outsourcing and Third-Party Relationships – the FSB said, “A common concern... is the possibility of systemic risk arising from concentration in the provision of some outsourced and third-party services to [financial institutions]. These risks may become higher as the number of FIs receiving critical services from a given third party increases.
“Systemic risk could arise if, for instance, a sufficiently large number of FIs (or a single systemic FI) became dependent on one or a small number of outsourced or third-party service providers for the provision of critical services that were impossible or very difficult to substitute effectively and in an appropriate timeframe, for instance due to limitations in the capacity of alternative third parties or other back-up solutions.
Cloud 'resilience options’
“A major disruption, outage or failure at one of these third parties could create a single point of failure with potential adverse consequences for financial stability and/or the safety and soundness of multiple FIs. The ultimate impact would depend on the specific services being provided, the criticality and substitutability of those services, and the mitigation plans in place by FIs and the third party in question.
“Industry practice on mitigation plans is evolving rapidly and encompasses an ever-growing range of contractual, practical and technological approaches. For instance, retaining the ability to bring data or applications back on-premises in a way that ensure continuous adequate performance; creating and securing back-up copies of sensitive data, using of multiple or back-up vendors or, in the case of cloud outsourcing, using one or more resilience options.
“While mapping and understanding the system-wide effects of third-party dependencies is not a new issue, it remains an evolving area for supervisory authorities due to the heterogeneity of services provided and the changing ecosystem. Given the cross-border nature of this dependency, supervisory authorities and third parties could particularly benefit from enhanced dialogue on this issue.”
The paper also mentions that the trend towards fewer third-party technology platforms was being accelerated by the Covid-19 pandemic.
What’s it got to do with Wirecard?
Wirecard was a third-party payment processor that hit the headlines after an accounting scandal was unearthed by journalists at the Financial Times. The UK’s Financial Conduct Authority ordered Wirecard Card Solutions to cease operating pending an investigation, with the knock-on effect that millions of customers’ bank cards stopped working. The FSB paper doesn’t mention Wirecard – however, it’s exactly the sort of scenario the paper is designed to highlight.